Control Network Traffic > Policies > Configure Policies for a WatchGuard SSL Device

Configure Policies for a WatchGuard SSL Device

If you have a WatchGuard Firebox and a WatchGuard SSL device, we recommend that you install the SSL device on your network behind your Firebox. You must then add an HTTPS policy to the Firebox configuration to allow inbound connections to the SSL device. The procedure you use to add the policy depends on whether your WatchGuard SSL device has a public or private network IP address.

If your WatchGuard SSL device has a private IP address

Configure the Firebox with an HTTPS policy that uses static NAT. This policy must allow connections on port 443 from any external IP address to the private IP address of the WatchGuard SSL device.

For instructions to configure this policy, see Example 1.

If your WatchGuard SSL device has a public IP address

Configure the Firebox with an HTTPS policy that allows connections on port 443 from any external IP address to the public IP address of the WatchGuard SSL device.

For instructions to configure this policy, see Example 2.

Example 1 — WatchGuard SSL Device with a Private IP Address

In this example, the WatchGuard SSL device is connected to the optional network of your Firebox. The WatchGuard SSL device has a private IP address.

WatchGuard Firebox settings

  • Public IP address — 203.0.113.1/24
  • Trusted network IP address — 10.0.1.1/24
  • Optional network IP address — 10.0.2.1/24

WatchGuard SSL 100 device settings

  • Network interface mode — Single interface mode
  • Application portal port — 443
  • Administrator HTTPS port — 8443
  • Eth0 IP address — 10.0.2.60
  • Default gateway — 10.0.2.1/24 (the optional network IP address of the Firebox)

SSL shared resources located on a different network

HTTP (intranet) server — Located on the Firebox trusted network at 10.0.1.80

Add an HTTPS Policy to Allow Incoming Connections

To configure the Firebox to allow connections to the WatchGuard SSL device, you must add an HTTPS packet filter policy that allows connections from the external network to the Eth0 address of the SSL device.

  1. Open Policy Manager for the Firebox that protects your SSL device.
  2. Click Policy Manager Add Policy icon.
    Or, select Edit > Add Policy.
    The Add Policies dialog box appears.
  3. Expand the Packet Filters folder and select HTTPS.

Add Policies dialog box screen shot

  1. Click Add.
    The New Policy Properties dialog box appears.

HTTPS New Policy Properties dialog box screen shot

  1. (Optional) To change the name of the policy, type a new name in the Name text box.
    For this example, type HTTPS-SSLVPN.
  2. In the From list, select Any-Trusted. Click Remove.
  3. In the From section, click Add and add the address to this policy.
    The Add Address dialog box appears.
  4. In the Available Members list, select Any-External. Click Add.
    Any-External appears in the Selected Members and Addresses list.
  5. Click OK.
    Any-External appears in the From list in the Policy Properties dialog box.
  6. In the To list, select Any-External. Click Remove.
  7. In the To section, click Add.
    The Add Address dialog box appears.
  8. Click Add SNAT.
    The SNAT dialog box appears.
  9. Click Add.
    The Add SNAT dialog box appears.
  10. In the SNAT Name text box, type a name for this SNAT action.
  11. Make sure the Static NAT option is selected.
  12. Click Add.
    The Add Static NAT dialog box appears.
  13. From the External IP Address drop-down list, select the IP address to use for Static NAT.
    For this example, select External. The device then uses the External Firebox IP address, which is 203.0.113.1.
  14. In the Internal IP Address text box, type the Eth0 address of the SSL device.
    For this example, the IP address is 10.0.2.60.

Screen shot of the Add Static NAT / Server Load Balancing dialog box

  1. Click OK.
    The IP addresses appear in the Add SNAT dialog box in the SNAT Members list.
  2. Click OK.
    The SNAT entry appears in the SNAT dialog box.
  3. Click OK.
    The Static NAT entry appears in the Add Address dialog box in the Selected Members and Addresses list.
  4. Click OK.
    The SNAT entry appears in the New Policy Properties To list.

Screen shot of the New Policy Properties dialog box

  1. Click OK.
    The new policy appears in Policy Manager.
  2. In the Add Policies dialog box, click Close.
  3. Save the configuration to the Firebox.

Add a Policy to Enable Access to a Shared Resource

If you have a shared resource that is not located on the same internal network as the WatchGuard SSL device, you must add a policy to the Firebox configuration that allows connections from the WatchGuard SSL device to those resources. The type of policy you add depends on the type of resource.

In this example, you use Policy Manager to allow connections from the WatchGuard SSL device on the 10.0.2.0 optional network, to the HTTP server shared resource on the 10.0.1.0 trusted network. Because the resource is an HTTP server, you add an HTTP policy to your Firebox configuration.

  1. Click Policy Manager Add Policy icon.
    Or, select Edit > Add Policy.
    The Add Policies dialog box appears.
  2. Expand the Packet Filters folder and select HTTP. Click Add.
    The New Policy Properties dialog box appears.

Screen shot of the HTTP New Policy Properties dialog box

  1. (Optional) To change the name of the policy, type a new name in the Name text box.
    For this example, type HTTP-SSLVPN-Resource.
  2. In the From list, select Any-Trusted. Click Remove.
  3. In the From section, click Add.
    The Add Address dialog box appears.
  4. Click Add Other.
    The Add Member dialog box appears. The Type is set to Host IP by default.
  5. In the Value text box, type the Eth0 IP address of the WatchGuard SSL device.
    For this example, type 10.0.2.60.

Add Member dialog box

  1. Click OK.
    The IP address appears in the Add Address Selected Members and Addresses list.
  2. Click OK.
    The IP address appears in the New Policy Properties dialog box in To list.
  3. In the To list, select Any-External. Click Remove.
  4. In the To section, click Add.
    The Add Address dialog box appears.
  5. Click Add Other.
    The Add Member dialog box appears. The Type is set to Host IP by default.
  6. In the Value text box, type the IP address of the internal HTTP server resource on the trusted network.
    For this example, type 10.0.1.80.

Add Member dialog box

  1. Click OK.
    The IP address appears in the Add Address dialog box Selected Members and Addresses list.
  2. Click OK.
    The New Policy Properties dialog box appears, with the IP address in the To list.

Screen shot of the HTTP-SSLVPN New Policy Properties dialog box

  1. Click OK.
    The new policy appears in Policy Manager.
  2. In the Add Policies dialog box, click Close.
  3. Save the configuration to the Firebox.

The Firebox is now configured to enable the WatchGuard SSL device to communicate with the resource on the other internal network. To enable access to other shared resources on a different network, you must create a firewall policy to allow access to each shared resource.

Add a Custom Policy for SSL Device Management

To manage your WatchGuard SSL device from a computer on a different internal network, you must add a custom policy to allow connections on port 8443. For example, if you want to use a computer on the trusted network to manage the SSL device, you can use Policy Manager to add a custom policy.

  1. Click Policy Manager Add Policy icon.
    Or, select Edit > Add Policy.
    The Add Policies dialog box appears.
  2. Click New.
    The New Policy Template dialog box appears.

New Policy Template dialog box screen shot

  1. In the Name text box, type a name for this policy template.
    For this example, type SSLVPN-Management.
  2. (Optional) Type a Description for the policy.
    For this example, type Access to the WatchGuard SSL 100 Web UI.
  3. For the policy Type, select Packet Filter.
  4. Click Add.
    The Add Protocol dialog box appears.
  1. From the Type drop-down list, select Single Port.
  2. From the Protocols drop-down list, select TCP.
  3. In the Server Port text box, type 8443.

Add Protocol dialog box

  1. Click OK.
    The New Policy Template dialog box appears, with the TCP:8443 protocol added.

New Policy Template dialog box

  1. Click OK.
    The Add Policies dialog box appears with the policy template you just created selected.
  2. Click Add.
    The New Policy Properties dialog box for the template that you just created appears.

New Policy Properties dialog box

  1. In the To list, select Any-External. Click Remove.
  2. In the To section, click Add.
    The Add Address dialog box appears.
  3. Select Add Other.
    The Add Member dialog box appears. The Type is set to Host IP by default.
  4. In the Value text box, type the Eth0 IP address of the WatchGuard SSL device.
    For this example, type 10.0.2.60.

Add Member dialog box

  1. Click OK.
    The Host IP address appears in the Add Address dialog box in the Selected Members and Addresses list.
  2. Click OK.
    The Host IP address appears in the New Policy Properties dialog box in the To list.
  3. Click OK.
    The new policy appears in Policy Manager.
  4. In the Add Policies dialog box, click Close.
  5. Save the configuration to the Firebox.

Your Firebox is now configured to enable:

  • Users to log in to the SSL Application Portal at https://203.0.113.1
  • The administrator to log in to the WatchGuard SSL Web UI from any computer on the trusted network at https://10.0.2.60:8443
  • Access to all shared resources in the application portal.

Example 2 — WatchGuard SSL Device Has a Public IP Address

In this example, the WatchGuard SSL device is connected to the optional network of your Firebox. The WatchGuard SSL device has a public IP address.

WatchGuard Firebox settings:

  • Public IP address — 203.0.113.1/24
  • Trusted network IP address — 10.50.1.1/24 
  • Optional network IP address — 10.50.2.1/24

The WatchGuard SSL 100 device settings:

  • Network interface mode — Single interface mode
  • Application portal port — 443
  • Administrator HTTPS port — 8443
  • Eth0 IP address — 10.50.2.60/24
  • Default gateway — 10.50.2.1/24 (the Optional network IP address of the Firebox)

SSL shared resources located on a different network: 

HTTP (intranet) server — Located on the Firebox trusted network, at 10.0.1.80

Add an HTTPS Policy to Allow Incoming Connections

To configure the Firebox to allow connections to the WatchGuard SSL device, you must add an HTTPS packet filter policy that allows connections from the external network to the Eth0 address of the SSL device.

  1. Open Policy Manager for the Firebox that protects your SSL device.
  2. Click Policy Manager Add Policy icon.
    Or, select Edit > Add Policy.
    The Add Policies dialog box appears.
  3. Expand the Packet Filters folder and select HTTPS. Click Add.
    The New Policy Properties dialog box appears.

HTTPS New Policy Properties dialog box

  1. (Optional) To change the name of the policy, in the Name text box, type a new name.
    For this example, type HTTPS-SSLVPN.
  2. In the From list, select Any-Trusted. Click Remove.
  3. In the From section, click Add and add the address for this policy.
    The Add Address dialog box appears.
  4. In the Available Members list, select Any-External. Click Add.
    Any-External appears in the Selected Members and Addresses list.
  5. Click OK.
    Any-External appears in the New Policy Properties dialog box in the From list.
  6. In the To list, select Any-External. Click Remove.
  7. In the To section, click Add.
    The Add Address dialog box appears.
  8. Click Add Other.
    The Add Member dialog box appears. The Type is set to Host IP by default.
  9. In the Value text box, type the Eth0 address of the Firebox SSL device.
    For this example, type 203.0.113.1.

Screen shot of the Add Member dialog box

  1. Click OK.
    The IP address you added appears in the Add Address dialog box in the Selected Members and Addresses list.
  2. Click OK.
    The Host IP address you added appears in the New Policy Properties dialog box in the To list.

Screen shot of the New Policy Properties dialog box

  1. Click OK.
    The HTTPS-SSLVPN policy appears in Policy Manager.
  2. In the Add Policies dialog box, click Close.

Add a Policy for Access to a Shared Resource

For any shared resources that are not located on the same internal network as the WatchGuard SSL device, you must add a policy on the Firebox to allow connections from the WatchGuard SSL device to those resources. The type of policy you add depends on the type of resource. In this example, the WatchGuard SSL device is on the 10.0.2.1 optional network, but the HTTP server shared resource is located on the 10.0.1.0 trusted network, so you use Policy Manager to add an HTTP policy.

  1. Click Policy Manager Add Policy icon.
    Or, select Edit > Add Policy.
    The Add Policies dialog box appears.
  2. Expand the Packet Filters folder and select HTTP. Click Add.
    The New Policy Properties dialog box appears.

HTTP New Policy Properties dialog box screen shot

  1. (Optional) To change the name of the policy, in the Name text box, type a new name.
    For this example, type HTTP-SSLVPN-Resource.
  2. In the From list, select Any-Trusted. Click Remove.
  3. In the From section, click Add.
    The Add Address dialog box appears.
  4. Click Add Other.
    The Add Member dialog box appears. The Type is set to Host IP by default.
  5. In the Value text box, type the Eth0 IP address of the WatchGuard SSL device.
    For this example, type 203.0.113.1.

Screen shot of the Add Member dialog box

  1. Click OK.
    The Host IP address appears in the Add Address dialog box, in the Selected Members and Addresses list.
  2. Click OK.
    The Host IP address appears in the New Policy Properties dialog box in the From list.
  3. In the To list, select Any-External. Click Remove.
  4. In the To section, click Add.
    The Add Address dialog box appears.
  5. Click Add Other.
    The Add Member dialog box appears. The Type is set to Host IP by default.

Add Member dialog box

  1. In the Value text box, type the IP address of the internal HTTP server resource that is located on the trusted network.
    For this example, type 10.0.1.80.
  2. Click OK.
    The Host IP address appears in the Add Address dialog box Selected Members and Addresses list.
  3. Click OK.
    The Host IP address appears in the New Policy Properties dialog box in the To list.

New Policy Properties dialog box

  1. Click OK.
    The new policy appears in Policy Manager.
  2. In the Add Policies dialog box, click Close.
  3. Save the configuration to the Firebox.

The Firebox is now configured to allow the WatchGuard SSL device to communicate with the resource on the other internal network. If there are other shared resources on a different network, you must create a firewall policy to allow access to each shared resource.

Add a Custom Policy for SSL Device Management

To manage your WatchGuard SSL device from a computer on a different internal network, you must set up a custom policy to allow connections on port 8443. For example, if you want to use a computer on the trusted network to manage the SSL device, you can use Policy Manager to add a custom policy.

  1. Click Policy Manager Add Policy icon.
    Or, select Edit > Add Policy.
    The Add Policies dialog box appears.
  2. Click New.
    The New Policy Template dialog box appears.

New Policy Template dialog box screen shot

  1. In the Name text box, type a name for this policy template.
    For this example, type SSLVPN-Management.
  2. (Optional) In the Description text box, type a description to help you identify the policy.
  3. From the Type section, select Packet Filter as the policy type.
  4. Click Add.
    The Add Protocol dialog box appears.
  5. From the Type drop-down list, select Single Port.
  6. From the Protocols drop-down list, select TCP.
  7. In the Server Port text box, type or select 8443.

Add Protocol dialog box

  1. Click OK.
    The New Policy Template dialog box appears with the new protocol in the Protocols list.

New Policy Template dialog box

  1. Click OK.
    The Add Policies dialog box appears, with the new policy template selected.
  2. Click Add.
    The New Policy Properties dialog box for the template you just created appears.
  3. In the To list, select Any-External. Click Remove.
  4. In the To section, click Add.
    The Add Address dialog box appears.
  5. Select Add Other.
    The Add Member dialog box appears. The Type is set to Host IP by default.
  6. In the Value text box, type the Eth0 IP address of the WatchGuard SSL device.
    For this example, type 203.0.113.1.

Screen shot of the Add Member dialog box

  1. Click OK.
    The Host IP address appears in the Add Address dialog box Selected Members and Addresses list.
  2. Click OK.
    The Host IP address appears in the New Policy Properties dialog box in the To list.

Screen shot of the SSLVPN-Management New Policy Properties dialog box

  1. Click OK.
    The new policy appears in Policy Manager.
  2. In the Add Policies dialog box, click Close.
  3. Save the configuration to the Firebox.

Your Firebox is now configured to enable:

  • Users to log in to the WatchGuard SSL Application Portal at https://203.0.113.1.
  • The administrator to log in to the WatchGuard SSL Web UI from any computer on the trusted network at https://203.0.113.1:8443.
  • Access to all shared resources in the Application Portal.

Give Us Feedback     Get Support     All Product Documentation     Technical Search